IBM Security zSecure Admin, IBM Security zSecure Visual, and IBM Security zSecure CICS® Toolkit together provide administrative, provisioning, and management components that can significantly reduce administration time, effort, and costs, and help improve productivity and response time, as well as help reduce training time for new administrators.

IBM Security zSecure Compliance and Administration, IBM Security zSecure Compliance and Auditing, and IBM Security zSecure Administration are now at V2.1.1. Refer to the Description section for more information.

zSecure suite provides a user-friendly interface for RACF, with extensive auditing and monitoring capabilities for the enterprise security hub. It can result in more efficient and effective administration and compliance to defined security policies.

zSecure suite helps free administrators to focus on security. While preventing security breaches is paramount, administrators are frequently bogged down with tedious, time-consuming, day-to-day tasks that divert their attention from security issues. zSecure suite offers a range of products designed to help reduce administration time and enable valuable mainframe resources to focus on improving security quality.

Over the past decade, the number of requirements organizations must comply with has increased dramatically. Keeping up with the demands for audit and controls documentation, while also trying to prevent security breaches, can be overwhelming. zSecure suite delivers auditing, monitoring, and compliance management solutions designed to help reduce security exposures by tracking security events and helping prevent exposures to compliance requirements.

IBM Security zSecure Admin V2.1.1 is a leading security software program that enables efficient and effective IBM RACF administration, typically using significantly less resources. By putting a user-friendly layer over your RACF databases, you can quickly enter and process administrative commands, generate custom reports, and clean up databases. By implementing a repeatable process for security management, Secure Admin can help you reduce errors and improve the overall quality of services and security levels.

RACF administrators can create a mirrored offline copy of the RACF database that can be used to check and verify configuration changes without affecting the production database. This ability to test changes and review the results before implementing them can reduce the risks of introducing errors into the production database, through human error, and possible outages of security. The zSecure Admin RACF offline database is an excellent training ground for new administrators since it does not affect the production RACF database.

zSecure Admin also offers the capability to compare RACF databases to identify the differences in access and users. It also provides the capability to merge RACF databases, thereby, helping reduce the number of databases.

RACF database cleanup Access Monitor function addresses the problem of obsolete authorizations, for example, by removing authorizations that have not been used for a year, which is an administrative issue that is increasingly unacceptable from a compliance, governance, and risk perspective. This pertains to unused permits (user and group authorizations) as well as unused connects (group membership). At the same time, if the authorizations are obsolete, it is likely that the corresponding resources are equally obsolete and should also be cleaned up. Obsolete resources on the system represent a security risk because they could be reused for another purpose, and inappropriate access might be granted by virtue of the obsolete authorizations lingering in the security database.

Removal of unused profiles is also possible but requires a manual review step since there might be reasons for the existence for a profile that the program would not know. The RACF cleanup function can be used to reduce the overhead of the processing around yearly authorization reviews demanded by some regulations.

IBM Security zSecure CICS Toolkit V2.1.1 adds mainframe administration capabilities to the IBM CICS environment, such as password resets and authorization management. Its easy-to-use menu enables users to stay within the CICS application, to issue security commands to the mainframe rather than forcing them into another environment. Your field administrators can quickly issue commands through a user-friendly menu for functions, such as password resets, for failed user logins and user additions.

If you have an application on your web server that communicates with CICS on your mainframe, your CICS application can use the advanced COBOL API capabilities in zSecure CICS Toolkit to execute select RACF security functions. Such functions could be verification of a user ID and password entered on the web interface against the RACF database or retrieval of information about a user ID and its privileges from the RACF database that gets passed on to the web application.

You can easily customize zSecure CICS Toolkit screens by using the API, which can be contacted by any CICS program with a standard CICS command area. Use the API to tailor the look of your screens to the requirements of a specific installation and show as little or as much as you want to your decentralized administrators. The API facilitates access checks of more than 2,000 resources, enabling you to easily replace an application's internal security with RACF security and helping to significantly improve the application's performance. zSecure CICS Toolkit API can centralize, in the RACF database, the security management of homegrown applications built for CICS.

IBM Security zSecure Audit V2.1.1 delivers a mainframe compliance management and audit solution that enables you to quickly analyze and report on mainframe events, and automatically detect security exposures through extensive status auditing. zSecure Audit provides extended and independent monitoring to track and assess the consistency of security relevant changes to z/OS across systems and the compliance of those changes in comparison to a best practice knowledge base.

Unlike offerings that only report on a copy of a database, zSecure Audit allows you to access live security data on mainframes running IBM z/OS with RACF, ACF2, or Top Secret, helping deliver audit accuracy. Analyzing the active z/OS system control blocks can help you quickly identify possible issues that could have a negative effect on the stability of security.

After auditing and analyzing the z/OS operating system, zSecure Audit prioritizes and highlights security concerns. It provides displays to view definitions, tables, exits, and other vital z/OS information, and identifies problems or potential problems. Issues are ranked by audit priority, with a number indicating the relative impact of a problem.

Extended monitoring and alerting of security events from IBM Security Key Lifecycle Manager, IBM Tivoli OMEGAMON XE on z/OS, IBM DFSMS Removable Media Manager (DFSMSrmm), TCP/IP, and IBM WebSphere Application Server assist in providing an improved view of the overall security within the mainframe environment. The technology lets you create standard and customized reports that can be generated in Extensible Markup Language (XML) format and used in databases and reporting tools.

zSecure Audit also lets you send Simple Network Management Protocol (SNMP) messages to an enterprise management console for policy exceptions or violations that can indicate a security breach or weakness. This capability is provided for RACF, CA Top Secret, and CA ACF2 environments. In addition, zSecure Audit provides security information to IBM Security QRadar SIEM dashboard for ease of viewing important events in the z/OS environment, including RACF, ACF2, CICS, and DB2.

In addition, zSecure Alert enables you to quickly determine unauthorized logons and attempts, user behavior that violates security policy, and when your core systems may be at risk. With this information readily available, you can help identify misconfigurations before they can be exploited. This capability is provided for RACF and CA ACF2 environments. This information can also be provided to QRadar SIEM for ease of viewing on the interactive dashboard.

IBM Security zSecure Command Verifier V2.1.1 is a robust policy enforcement solution that can help enforce mainframe compliance to company policies by preventing erroneous commands. As a result, it helps increase control and decrease security risks and cleanup costs. Running in the background, zSecure Command Verifier verifies RACF commands against your company's policies and procedures. When commands are entered, it verifies whether the commands comply with security policies and blocks or, optionally, adjusts the ones that do not comply.

zSecure Admin and zSecure Audit working with zSecure Command Verifier support the administration of, reporting on, and use of RACF commands and keywords to demonstrate regulatory compliance and enforcement of best practices and security policies.

Additional offerings

IBM Security zSecure Manager for RACF z/VM V1.11.1

zSecure Manager for RACF z/VM provides administrators and auditors with tools to help unleash the potential of your mainframe system, enabling efficient and effective RACF administration and auditing of the z/VM environment, including Linux on System z, while helping use fewer resources. By automating many recurring auditing and system administration functions, zSecure Manager for RACF z/VM can help you maximize IT resources, reduce errors, improve quality of services, and demonstrate compliance.

zSecure suite V2.1.1 enhancements

IBM Security zSecure Adapters for QRadar SIEM V2.1.1

zSecure Adapters for QRadar SIEM provides, maintains, and extends coverage to information in over 40 different System z System Maintenance Facility (SMF) record types, working optionally with zSecure Audit V2.1.1. The zSecure Adapters for QRadar SIEM generates QRadar Log Event Extended Format (LEEF) files with the IBM System z SMF information that can be integrated with the QRadar enterprise-wide SIEM, log management, anomaly detection, incident forensics, and configuration and vulnerability management. As new SMF records are introduced for System z security events, supporting and reporting on them from the outset is very important to conduct detailed investigations and routine security monitoring.

SMF 230 (for the installation selected record type) from CA-ACF2. (There are many organizations running this security system, including combinations of ACF2, RACF and Top Secret.)

SMF 80 as written by Top Secret. (These records are very different from SMF 80 as written by RACF but serve a comparable purpose.)

SMF 102 generated by DB2 through the AUDIT options specified for the subsystem. This allows for logging of access violations, administrative commands (GRANT, REVOKE, CREATE, ALTER, DROP), operator commands and options, access to tables, including SQL commands and connections. To enable this capability, the events must be logged by DB2 to SMF through the audit options or the TRACE AUDIT command.

SMF 110 subtype 1 generated by CICS. This allows for logging of CICS transations. To enable this capability events must be logged by CICS to SMF through the CICS Monitoring Facility.

Additional SMF record types that are generated by z/OS and its subsystems, such as SMF 14, 15, 18, and 19 for data set access (even when not audited by the security system), SMF 42 for PDS member updates and deletes, SMF 92 for UNIX file activity, SMF 118 or 119 for FTP, Telnet and other TCP/IP activity, and much more. These are essential when trying to build a picture of user behavior, whether this is part of conducting an investigation or performing routine security monitoring.

In addition to the fields from SMF records, zSecure Adapter for QRadar SIEM adds enriched descriptive audit information about the user and the resource, identifying the name, privileges, and select RACF groups for the user, and the function and purpose for system critical data sets. This information is helpful to build essential audit reports, such as:

All RACF commands issued by users with the system special attribute.

All logon by users with the system operations attribute.

All logon by users with superuser privilege.

All updates to APF data sets.

All members updated in parmlib data sets.

Security events that are not logged by RACF. (This helps the security officer make informed decisions based on the enriched data.)

If you require a higher frequency of collection, zSecure Adapters for QRadar SIEM supports more frequent collection than once a day.

Bringing it all together

zSecure suite is a valuable part of managing mainframe security as a process that helps meet the needs of auditors and the business itself. These offerings are the result of a long-term commitment to innovation on the mainframe and to enable you to improve and simplify mainframe security audit and administration. Through a broad range of offerings, zSecure suite helps you address your key mainframe challenges, such as:

Audit and compliance management

Report on questionable system configuration options and dangerous settings of privileged users.

Accessibility by people with disabilities

Value Unit-based pricing

Value Unit pricing for eligible IBM System z IBM International Program License Agreement (IPLA) programs enables a lower cost of incremental growth and enterprise aggregation. Each System z IPLA product with Value Unit pricing has a single price per Value Unit and a conversion matrix, called Value Unit Exhibit, for converting from some designated measurement to Value Units. Most commonly, Millions of Service Units (MSUs) is the measurement designated by IBM to be converted to Value Units. Some other measurements are engines or messages. Since MSUs are the most common measurement, that measurement will be used for the remainder of this description.

Value Unit pricing offers price benefits for you. For each System z IPLA program with Value Unit pricing, the quantity of that program needed to satisfy applicable IBM terms and conditions is referred to as the required license capacity . Each of the various Value Unit Exhibits stipulate that the larger your required license capacity, the fewer Value Units per MSU you will need. Value Unit Exhibits are uniquely identified by a three digit code and referred to using the nomenclature VUExxx, where xxx is the three digit code.

Subsequent acquisitions of Value Unit priced programs offer additional price benefits. The quantity of each System z IPLA program that you have acquired is referred to as entitled license capacity . If you wish to grow your entitled license capacity for a System z IPLA program, the calculation to determine additional needed Value Units is based upon the number of Value Units already acquired.

For each System z IPLA program with Value Unit pricing, you should:

Determine the required license capacity, in MSUs

Aggregate the MSUs across the enterprise

Convert the total MSUs to Value Units, using the applicable Value Unit Exhibit

Multiply the price per Value Unit by the total number of Value Units to determine the total cost

To simplify conversion from the designated measurement to Value Units or vice-versa, use the Value Unit Converter Tool. For additional information or to obtain a copy of the Value Unit Converter Tool, visit the Value Unit Converter Tool website

zSecure suite leverages the capabilities of QRadar SIEM to enable inclusion of mainframe reporting on RACF, IBM CICS, IBM DB2, CA ACF2, and CA Top Secret into QRadar SIEM enterprise-wide compliance dashboard and reporting, so that users can view the status of their enterprise security hub along with the rest of their environment.

This integration provides new capability enabling organizations to cost effectively improve the security of mainframe environments by conducting automated database vulnerability assessment tests. Integration with zSecure has enabled new System z RACF and CA ACF2 Access Control List vulnerability tests and entitlement reporting for the System z DB2 catalog, RACF, and ACF2.

IBM Security zSecure with RACF

Your investment in RACF may be enhanced with the addition of zSecure suite, which provides integrated security audit, and compliance management and administration for z/OS and RACF.

Mainframe auditing: For data center auditors, security managers, system programmers, and IT managers who need to monitor mainframe events and incidents, help reduce security vulnerability, and help enforce security policy compliance and generate audit reports, zSecure suite offers a mainframe audit solution that provides analysis and reporting of mainframe events and automated detection of exposures through extensive status auditing.

Mainframe security administration: For RACF administrators and IT managers who need to simplify and automate routine administrative tasks, and decentralize administration control, zSecure suite offers a mainframe administration suite that enables efficient and effective RACF administration typically using less resources and providing richer functionality, and helping address compliance initiatives. And by implementing a repeatable process for security management, zSecure suite can help you reduce errors and improve the overall quality of services.

Business Partner information

If you are a Direct Reseller - System Reseller acquiring products from IBM, you may link directly to Business Partner information for this announcement. A PartnerWorld® ID and password are required (use IBM ID).

All unlicensed and licensed IBM Security zSecure Suite publications, with the exception of the zSecure Release Information, are available on the IBM Security zSecure Documentation CD in English. Unlicensed publications can also be viewed and downloaded in English from the IBM Security zSecure Suite information on the IBM Knowledge Center at

The English publications are available at general availability. Following translation, national language publications will be added to the zSecure Documentation CD and the zSecure Suite information on the IBM Knowledge Center.

No hardcopy publications are shipped with the zSecure products.

Unlicensed publications

All unlicensed publications can be viewed and downloaded from the IBM Security zSecure Suite information on the IBM Knowledge Center at

The licensed publications are provided on the IBM Security zSecure Documentation CD. The zSecure Documentation CD is delivered in either physical or electronic fulfillment for zSecure products. In physical fulfillment, the CD is included as part of the materials. In electronic fulfillment, the CD is available with other electronic materials and can be downloaded. The materials stay on the server for 30 days and are then removed.

To order the zSecure Documentation CD or any of the licensed publications, send an email to tivzos@us.ibm.com and include your IBM customer number, the list of publication numbers that you want to order, and your preferred contact information. You will be contacted with further instructions to fulfill your order.

Notes :

Licensed publications have a publication number that starts with L. For example, LCD7-5373.

For information about the IBM Security zSecure Manager for RACF z/VM licensed publications, access the IBM Knowledge Center at

The Publications Center is a worldwide central repository for IBM product publications and marketing material with a catalog of 70,000 items. Extensive search facilities are provided. Payment options for orders are via credit card (in the U.S.) or customer number for 20 countries. A large number of publications are available online in various file formats, and they can all be downloaded by all countries, free of charge.

zSecure products that include features for CA ACF2 and CA Top Secret support CA ACF2 R14 and R15, and CA Top Secret R14 and R15.

The program's specifications and specified operating environment information may be found in documentation accompanying the program, if available, such as a readme file, or other information published by IBM, such as an announcement letter. Documentation and other program content may be supplied only in the English language.

IBM Electronic Support

The IBM Support Portal is your gateway to technical support. This includes IBM Electronic Support tools and resources, for software and hardware, to help save time and simplify support. The Electronic Support tools can help you find answers to questions, download fixes, troubleshoot, automate data collection, submit and track problems through the Service Request online tool, and build skills. All these tools are made available through your IBM support agreement, at no additional charge. Read about the Electronic Support portfolio of tools

Packaging

Security, auditability, and control

IBM Security zSecure products and solutions use the security and auditability features of the operating system software. The customer is responsible for evaluation, selection, and implementation of security features, administrative procedures, and appropriate controls in application systems and communication facilities. The customer is responsible for evaluation, selection, and implementation of security features, administrative procedures, and appropriate controls in application systems and communication facilities.

IBM Software Services has the breadth, depth, and reach to manage your services needs. You can leverage the deep technical skills of our lab-based, software services team and the business consulting, project management, and infrastructure expertise of our IBM Global Services team. Also, we extend our IBM Software Services reach through IBM Business Partners to provide an extensive portfolio of capabilities. Together, we provide the global reach, intellectual capital, industry insight, and technology leadership to support a wide range of critical business needs.

To learn more about IBM Software Services or to contact a Software Services sales specialist, visit

ShopzSeries provides an easy way to plan and order your z/OS ServerPac or CBPDO. It will analyze your current installation, determine the correct product migration, and present your new configuration based on z/OS. Additional products can also be added to your order (including determination of whether all product requisites are satisfied). ShopzSeries is available in the US and several countries in Europe. In countries where ShopzSeries is not available yet, contact your IBM representative (or IBM Business Partner) to handle your order via the traditional IBM ordering process. For more details and availability, visit the ShopzSeries website at

For each System z IPLA program with Value Unit pricing, the quantity of that program needed to satisfy applicable IBM terms and conditions is referred to as the required license capacity. Your required license capacity is based upon the following factors:

To order, specify the program product number and the appropriate license or charge option. Also, specify the desired distribution medium. To suppress shipment of media, select the license-only option in CFSW.

To order, specify the program product number and the appropriate license or charge option. Also, specify the desired distribution medium. To suppress shipment of media, select the license-only option in CFSW.

To receive voice technical support via telephone and future releases and versions at no additional charge, Subscription and Support must be ordered. The capacity of Subscription and Support (Value Units) must be the same as the capacity ordered for the product licenses.

To order, specify the Subscription and Support program number (PID) referenced above and the appropriate license or charge option.

IBM is also providing Subscription and Support for these products via a separately purchased offering under the terms of the IBM International Agreement for Acquisition of Software Maintenance. This offering:

Includes and extends the support services provided in the base support to include technical support via telephone.

Entitles you to future releases and versions, at no additional charge. Note that you are not entitled to new products.

When Subscription and Support is ordered, the charges will automatically renew annually unless cancelled by you.

The combined effect of the IPLA license and the Agreement for Acquisition of Software Maintenance gives you rights and support services comparable to those under the traditional ICA S/390® and System z license or its equivalent. To ensure that you continue to enjoy the level of support you are used to in the ICA business model, you must order both the license for the program and the support for the selected programs at the same Value Unit quantities.

Customized Offerings

Product deliverables are shipped only via CBPDO and ServerPac. These customized offerings are offered for Internet delivery in countries where ShopzSeries product ordering is available. Internet delivery reduces software delivery time and allows you to install software without the need to handle tapes. For more details on Internet delivery, refer to the Shopz help information at

You choose the delivery method when you order the software. IBM recommends Internet delivery. In addition to Internet and DVD, the supported tape delivery options include:

3590

3592

Most products can be ordered in ServerPac the month following their availability in CBPDO. z/OS can be ordered via CBPDO and ServerPac at general availability. Many products will also be orderable in a Product ServerPac without also having to order the z/OS operating system or subsystem.

Shopz and CFSW will determine the eligibility based on product requisite checking. For more details on the product ServerPac, visit the Help section on the Shopz website at

The information provided in this announcement letter is for reference and convenience purposes only. The terms and conditions that govern any transaction with IBM are contained in the applicable contract documents such as the IBM International Program License Agreement, IBM International Passport Advantage® Agreement, and the IBM Agreement for Acquisition of Software Maintenance.

Licensing

IBM International Program License Agreement including the License Information document and Proof of Entitlement (PoE) govern your use of the program. PoEs are required for all authorized use.

Agreement for Acquisition of Software Maintenance

The following agreement applies for Software Subscription and Support (Software Maintenance) and does not require customer signatures:

IBM Agreement for Acquisition of Software Maintenance (Z125-6011)

These programs are licensed under the IBM Program License Agreement (IPLA) and the associated Agreement for Acquisition of Software Maintenance, which provide for support with ongoing access to releases and versions of the program. These programs have a one-time license charge for use of the program and an annual renewable charge for the enhanced support that includes telephone assistance (voice support for defects during normal business hours), as well as access to updates, releases, and versions of the program as long as support is in effect.

IBM System z Operational Support Services - SoftwareXcel is an option if you desire added services.

Limited warranty applies

Yes

Limited warranty

IBM warrants that when the program is used in the specified operating environment, it will conform to its specifications. The warranty applies only to the unmodified portion of the program. IBM does not warrant uninterrupted or error-free operation of the program or that IBM will correct all program defects. You are responsible for the results obtained from the use of the program.

IBM provides you with access to IBM databases containing information on known program defects, defect corrections, restrictions, and bypasses at no additional charge. For further information, consult the IBM Software Support Handbook found at

IBM will maintain this information for at least one year after the original licensee acquires the program (warranty period).

Program support

Enhanced support, called Subscription and Support, includes telephone assistance, as well as access to updates, releases, and versions of the program as long as support is in effect. You will be notified of discontinuance of support with 12 months' notice.

Money-back guarantee

If for any reason you are dissatisfied with the program and you are the original licensee, you may obtain a refund of the amount you paid for it, if within 30 days of your invoice date you return the program and its PoE to the party from whom you obtained it. If you downloaded the program, you may contact the party from whom you acquired it for instructions on how to obtain the refund.

For clarification, note that for programs acquired under any of IBM's On/Off Capacity on Demand (On/Off CoD) software offerings, this term does not apply since these offerings apply to programs already acquired and in use by you.

Other terms

Volume orders (IVO)

No

IBM International Passport Advantage Agreement

Passport Advantage applies

No

Usage restriction

Yes. Usage is limited to the number of Value Units licensed.

For additional information, refer to the License Information document that is available on the IBM Software License Agreement website

Software Subscription and Support applies

No. For operating system software, the revised IBM Operational Support Services - SoftwareXcel offering will provide support for those operating systems and associated products that are not available with the Software Subscription and Support (Software Maintenance) offering.

This will ensure total support coverage for your enterprise needs, including IBM and selected non-IBM products. For complete lists of products supported under both the current and revised offering, visit

IBM Operational Support Services - SoftwareXcel

System i® Software Maintenance applies

Variable charges apply

Educational allowance available

Sub-capacity terms and conditions

For each System z IPLA program with Value Unit pricing, the quantity of that program needed to satisfy applicable IBM terms and conditions is referred to as the required license capacity. Your required license capacity is based upon the following factors:

The System z IPLA program you select

The applicable Value Unit Exhibit

The applicable terms

Whether your current mainframes are full capacity or sub-capacity

For more information on the Value Unit Exhibit for the System z IPLA program you selected, refer to the Ordering information section.

Note: If IBM Security zSecure Alert is ordered as a separate product, sub-capacity charges are Execution-based rather than z/OS-based, as when it is included in one of these solutions.

Full-capacity mainframes

In cases where full capacity is applicable, the following terms apply.

Execution based, z/OS based, full machine based: The required capacity of a System z IPLA program with these terms equals the MSU-rated capacity of the machines where the System z IPLA program executes.

Reference based: The required license capacity of a System z IPLA program with these terms equals the license capacity of the applicable monthly license charge (MLC) program. This MLC program is called the parent program.

Sub-capacity mainframes

In cases where sub-capacity is applicable, the following terms apply.

Execution based: The required capacity of a System z IPLA sub-capacity program with these terms equals the capacity of the LPARs where the System z IPLA program executes.

z/OS based: The required license capacity of a System z IPLA program with these terms equals the license capacity of z/OS on the machines where the System z IPLA program executes.

Reference based: The required license capacity of a System z IPLA program with these terms equals the license capacity of the applicable monthly license charge (MLC) program. This MLC program is called the parent program.

Full machine based: The required license capacity of a System z IPLA program with full machine based terms equals the MSU-rated capacity of the machines where the System z IPLA program executes.

For more information on mainframe MSU-rated capacities, refer to The IBM System z Machines Exhibit , Z125-3901, or visit the Mainframes section of the System z Exhibits website.

For additional information for products with reference-based terms, System z IPLA sub-capacity programs with reference-based terms adds value to the parent program across the environment, regardless of where in the environment the System z IPLA program executes.

An environment is defined as either a single or stand-alone machine or a qualified Parallel Sysplex®. You may have one or more different environments across the enterprise. To determine the required license capacity for each System z IPLA program with referenced-based terms, each environment should be assessed separately.

When a System z IPLA sub-capacity program with reference-based terms is used in a qualified Parallel Sysplex environment, the required license capacity of the System z IPLA program must equal with the license capacity of the parent program across the Parallel Sysplex. Qualified Parallel Sysplex refers to one:

Where MLC pricing is aggregated across the sysplex

Sub-capacity eligibility

To be eligible for sub-capacity charging on select System z IPLA programs, you must first implement and comply with all terms of either sub-capacity Workload License Charges (WLC) or sub-capacity Entry Workload License Charges (EWLC). To implement sub-capacity WLC or EWLC, a machine must be System z (or equivalent). On that machine:

All instances of the OS/390® operating system must be migrated to the z/OS operating systems.

Any licenses for the OS/390 operating system must be discontinued.

All instances of the z/OS operating systems must be running in z/Architecture® (64-bit) mode.

For that machine, you must create and submit a Sub-Capacity Report to IBM each month. Sub-Capacity Reports must be generated using the Sub-Capacity Reporting Tool (SCRT). For additional information or to obtain a copy of SCRT, visit the System z Software Pricing website

You must comply with all of the terms of the WLC or EWLC offering, whichever is applicable:

The complete terms and conditions of sub-capacity WLC are defined in the IBM Customer Agreement - Attachment for System z Workload License Charges (Z125-6516).

The complete terms and conditions for sub-capacity EWLC are defined in the IBM Customer Agreement - Attachment for IBM System z 890 and 800 License Charges (Z125-6587).

Additionally, you must sign and comply with the terms and conditions specified in the amendment to the IPLA contract - Amendment for IBM System z9 and System z Programs Sub-Capacity Pricing (Z125-6929).

Once the amendment is signed, the terms in the amendment replace any and all previous System z IPLA sub-capacity terms and conditions.

Sub-capacity utilization determination

Sub-capacity utilization is determined based on the utilization of an eligible operating system and machine (for example, z/OS running in z/Architecture (64 bit) mode on a System z ((or equivalent) server).

Sub-capacity utilization is determined based on the product's own execution as reported to IBM in accordance with the requirements for reporting sub-capacity utilization for products.

On/Off Capacity on Demand (CoD)

To be eligible for On/Off CoD pricing, you must be enabled for temporary capacity on the corresponding hardware, and the required contract, Attachment for IBM System z On/Off Capacity on Demand (Z125-7883) must be signed prior to use.

IT system security involves protecting systems and information through prevention, detection, and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, or misappropriated or can result in misuse of your systems to attack others. Without a comprehensive approach to security, no IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems, services and products are designed to be part of a lawful comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products, or services to be most effective. IBM does not warrant that systems, services and products are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.

Electronic Service Agent and the IBM Electronic Support web portal are dedicated to providing fast, exceptional support to IBM Systems customers. The IBM Electronic Service Agent tool is a no-additional-charge tool that proactively monitors and reports hardware events, such as system errors, performance issues, and inventory. The Electronic Service Agent tool can help you stay focused on your company's strategic business initiatives, save time, and spend less effort managing day-to-day IT maintenance issues. Servers enabled with this tool can be monitored remotely around the clock by IBM Support, all at no additional cost to you.

Now integrated into the base operating system of AIX® V5.3, AIX V6.1, and AIX V7.1, Electronic Service Agent is designed to automatically and electronically report system failures and utilization issues to IBM, which can result in faster problem resolution and increased availability. System configuration and inventory information collected by the Electronic Service Agent tool also can be viewed on the secure Electronic Support web portal, and used to improve problem determination and resolution by you and the IBM support team. To access the tool main menu, simply type smitty esa_main, and select Configure Electronic Service Agent. In addition, ESA now includes a powerful web user interface, giving the administrator easy access to status, tool settings, problem information, and filters. For more information and documentation on how to configure and use Electronic Service Agent, refer to

The IBM Electronic Support portal is a single Internet entry point that replaces the multiple entry points traditionally used to access IBM Internet services and support. This portal enables you to gain easier access to IBM resources for assistance in resolving technical problems. The My Systems and Premium Search functions make it even easier for Electronic Service Agent tool-enabled customers to track system inventory and find pertinent fixes.

Benefits

Increased uptime: The Electronic Service Agent tool is designed to enhance the Warranty or Maintenance Agreement by providing faster hardware error reporting and uploading system information to IBM Support. This can translate to less wasted time monitoring the symptoms, diagnosing the error, and manually calling IBM Support to open a problem record. Its 24x7 monitoring and reporting mean no more dependence on human intervention or off-hours customer personnel when errors are encountered in the middle of the night.

Security: The Electronic Service Agent tool is designed to be secure in monitoring, reporting, and storing the data at IBM. The Electronic Service Agent tool securely transmits via either the Internet (HTTPS or VPN) or modem, and can be configured to communicate securely through gateways to provide you a single point of exit from your site. Communication is one way. Activating Electronic Service Agent does not enable IBM to call into your system. System inventory information is stored in a secure database, which is protected behind IBM firewalls. It is viewable only by you and IBM. Your business applications or business data is never transmitted to IBM.

More accurate reporting: Because system information and error logs are automatically uploaded to the IBM Support center in conjunction with the service request, you are not required to find and send system information, decreasing the risk of misreported or misdiagnosed errors. Once inside IBM, problem error data is run through a data knowledge management system and knowledge articles are appended to the problem record.

Customized support: Using the IBM ID entered during activation, you can view system and support information in the My Systems and Premium Search sections of the Electronic Support website at

My Systems provides valuable reports of installed hardware and software using information collected from the systems by Electronic Service Agent. Reports are available for any system associated with your IBM ID. Premium Search combines the function of search and the value of Electronic Service Agent information, providing advanced search of the technical support knowledgebase. Using Premium Search and the Electronic Service Agent information that has been collected from your system, you are able to see search results that apply specifically to your systems.

For more information on how to utilize the power of IBM Electronic Services, contact your IBM Systems Services Representative, or visit

Variable charges: The applicable processor-based one-time charge will be based on the group of the designated machine on which the program is licensed for use. If the program is designated to a processor in a group for which no charge is listed, the charge of the next higher group listed applies. For movement to a machine in a higher group, an upgrade charge equal to the difference in the then-current charges between the two groups will apply. For movement to a machine in a lower group, there will be no adjustment or refund of charges paid.

IBM Global Financing

IBM Global Financing offers competitive financing to credit-qualified customers to assist them in acquiring IT solutions. Offerings include financing for IT acquisition, including hardware, software, and services, from both IBM and other manufacturers or vendors. Offerings (for all customer segments: small, medium, and large enterprise), rates, terms, and availability can vary by country. Contact your local IBM Global Financing organization or visit

IBM Global Financing offerings are provided through IBM Credit LLC in the United States, and other IBM subsidiaries and divisions worldwide to qualified commercial and government customers. Rates are based on a customer's credit rating, financing terms, offering type, equipment type, and options, and may vary by country. Other restrictions may apply. Rates and offerings are subject to change, extension, or withdrawal without notice.

Financing from IBM Global Financing helps you preserve cash and credit lines, enables more technology acquisition within current budget limits, permits accelerated implementation of economically attractive new technologies, offers payment and term flexibility, and can help match project costs to projected benefits. Financing is available worldwide for credit-qualified customers.

Microsoft is a trademark of Microsoft Corporation in the United States, other countries, or both.

UNIX is a registered trademark of The Open Group in the United States and other countries.

Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.

Other company, product, and service names may be trademarks or service marks of others.

Terms of use

IBM products and services which are announced and available in your country can be ordered under the applicable standard agreements, terms, conditions, and prices in effect at the time. IBM reserves the right to modify or withdraw this announcement at any time without notice. This announcement is provided for your information only. Additional terms of use are located at